GRUB2 Secure Boot Vulnerability: Boothole




Now that we’ve got this out of the way

I’m genuinely shocked nobody noticed this flaw until now.


Red Hat has a good page on this


Added to the original post.

Uh oh, the fix is bricking some systems:


Thanks for finding that :+1: (red hat looks to have made a fixed shim for this bug)

As I understand there may be implications for non linux machines as well. anyone know if they released any more detail? they only seemed to go down the grub route specifically.

1 Like

Worth having a look over the microsoft advisory and the available mitigations

1 Like

I suppose there will be an update to grub at some point,
to fix the problem?

Yes. There’s is a revolution files for the accepted certificates. Microsoft won’t deploy this until 2021. It can be manually installed though (but you must be careful to check it won’t block your own system on Linux). Linux disteis have patches but a number have had some issues with no boot problems. That’s being fixed atm


I hope Red Hat backports a few versions of Fedora with this. Cause this is kinda serious. (Still on Fedora 28)

Fedora 28 is EOL (over a year ago), it wont be back-ported

1 Like

Is there some legacy software that’s keeping you on F28?

The kernel stability and stable version of QEMU that I know how to work with is the big keeper, and old versions of Waterfox.

You should move to CentOS probably in that case. (after they release the grub patch :smiley: )

1 Like

Too many things are stable in my current OS state though. It’s rock solid to the point nothing breaks. No Nvidia trouble, no Blackmagic trouble, no trouble period.

Except that your system is riddled with vulnerabilities. Just keep that in mind. However thats another thread i suppose.


Regressions for QEMU are something I really don’t want to deal with unless it’s a platform switch from X79 to X299 for example. Still can’t find that damn motherboard.

You really should be on something like CentOS 8.

As F28 was the distro that EL8 is based off of you should not have any trouble.

If you only want to get security fixes I can teach you how to exclude feature updates and just get security patches.


That’s quite a monumental task if it’s manual installation like Arch. I have a very logically laid out partition table and that’s a huge risk to mess it up.

It’s probably best to do a reinstallation, but its not manual like arch. There is a nice point and click style GUI.

And if you have separated out your /home then your data should be fine.

By default, LVM sets the / to a max of 50 GiB and allocates the rest to /home but during the install you can even separate out partitions for /var and such.

1 Like